Do you know how to report a computer crime? Or even who you would report it to?
So far, we’ve looked at unauthorised email account access and malware in our series of articles on how to report a computer crime. In this article, we’ll look at an SQL injection attack.
We’ll look at what offences are committed in different countries when a crime like this happens, how you should report the crime, and what evidence you can preserve.
Take this scenario:
A company has a web server and associated database configured to serve dynamic content. The company has set up its website insecurely, leaving it vulnerable to input validation attacks.
A cybercriminal has been hired by a competitor of the company to “take the company offline”. The cybercriminal has identified that the company website is susceptible to SQL injection, so performs a series of SQL injection attacks.
This results in the deletion of a number of tables from the database, rendering the company website inoperable.
What was the offence?
We can break it down like this:
- The cybercriminal identifies that the company website is susceptible to SQL injection.
- He performs an unauthorised act in relation to a computer when he uses the SQL injection to gain access to the server.
- The cybercriminal commits a further offence when he deletes the database tables and impairs the functionality of the server.
The legal bit
We’ve focused on the UK, USA, Canada and Australia, but each country has its own legislation, though the relevant statute often exists to accommodate the same offences in each country.
In the UK, most computer crime falls under offences covered by one of three pieces of law:
Other associated crimes could include Conspiracy or Money Laundering offences, but victims of computer crime are more often than not affected by at least one of the three acts listed above.
In this case the cybercriminal commits two offences in the UK. Initially, he commits the offence of “Unauthorised Access” by using SQL injection to facilitate access to the company’s server.
He then commits a further offence of “Unauthorised Act with Intent to Impair” when he deletes the database tables, impairing the functionality of the database server.
Under these circumstances there has been a definite targeted attack.
In this case, the cybercriminal commits an offence of an “Unauthorised Act with Intent to Impair”, contrary to Section 3 of the Computer Misuse Act 1990, committed when an offender modifies a computer with intent to impair the functionality of that computer.
In the USA, most cybercrime offences are covered by Title 18, United States Code (USC) Section 1030 – Fraud and related activity in connection with computers.
This is what the cybercriminal contravened when he used a SQL injection to facilitate access to the company’s server.
The Criminal Code of Canada contains sections that specifically cater for cybercrime, including:
- Unauthorised Use of Computer
- Possession of Device to Obtain Computer
- Mischief in Relation to Data
- Identity Theft and Identity Fraud
In this case, both Section 342.1 Canadian Criminal Code (CCC) – Unauthorised Use of a Computer – and Section 430(1.1) CCC – Mischief in Relation to Data (damaging data) – were contravened.
Both state laws and commonwealth laws exist in Australia. In South Australia, the investigation of cybercrime by police is classified under three tiers and is spread across the organisation depending, mainly, on severity.
The primary legislation for computer offences is the Summary Offences Act, 1953 (SOA) and the Criminal Law Consolidation Act, 1935 (CLCA).
Reporting the crime
In the UK, when a crime has taken place it should be reported to the police, so a representative of the company should report it at the local police station.
A crime allegation may be investigated by a police force or may be referred to the Police Central e-Crime Unit (PCeU) which provides the UK’s investigative response to the most serious incidents of cybercrime. The PCeU requests that the routine reporting of computer crime offences are not made directly to them.
There is also an alternative reporting body for internet-enabled crime: Action Fraud.
Action Fraud records and passes on crime reports to the National Fraud Intelligence Bureau, who then decides whether the incident requires further investigation, as not all computer crimes are investigated.
The Department of Justice website contains a Computer Crime and Intellectual Property Section with a contact page for reporting incidents to local, state or Federal Law Enforcement Agencies (LEA).
Two Federal LEAs have a remit to investigate some computer crimes:
- The Federal Bureau of Investigation (FBI)
- The United States Secret Service (USSS)
In this case the crime should be reported at the FBI Local Office, or US Secret Service or Internet Crime Complaint Centre.
The Royal Canadian Mounted Police (RCMP) are the main agency with regard to the investigation of federal statutes, but they also have policing responsibility for a number of the Canadian provinces and all 3 territories, as well as some local police services in towns and cities.
The company should report the attack to their local police service. If appropriate, it will be escalated for the attention of the agency with federal responsibility, the RCMP.
The company should report the crime to the Australian State or Territory Police.
Investigation policy differs from state to state but the Australian Federal Police website offers a guide on whether the crime should be reported to either Australian State or Territory Police.
Preserving the evidence
The company should keep as many logs as possible as potential evidence.
The company should take down the affected site and replace it with a holding page.
Its should also lock down FTP access and change all access credentials.
Going forward, the company should enable full logging on the server (if it was not enabled previously). Incomplete logging can prevent identification/analysis of future attacks.
It could also consider adding its own scripts to catalogue the entire contents of the web folders (to highlight unexpected file additions or modifications).
Once the site has been cleaned it can be brought back online.
In future, the company should consider proper security auditing of their website by an accredited penetration testing professional or company.
If you’re interested in reading more about the different types of attacks on web servers and the ways they can be protected, take a look at Sophos’s whitepaper on securing websites.
In general, it’s important that all computer crime is reported. Even if no investigation follows, crime report intelligence can be built up and an accurate picture of the levels of computer crime can be produced.
If victims of a particular crime do not come forward to report incidents, then the number stated in crime reporting statistics will be not be a true reflection of the number of crimes taking place.
The scenario above is given as an example to help you in understanding when and what offences have taken place. Please be reminded that no two situations are the same and we have not catered for the “what if” situation.
We have also not included any corporation’s AUP (Acceptable Use Policy) that may be in place and may have been breached.
All of the scenarios are made up and the characters depicted bear no resemblance to any person.
Naked Security gratefully acknowledges the assistance of the following organisations in preparation of this series of articles:
UK Police Central e-Crime Unit
United States Federal Bureau of Investigation
United States Secret Service
Royal Canadian Mounted Police
South Australia Police
Sad man at computer, keyboard, hacker and padlocked cables images courtesy of Shutterstock.
2 comments on “How to report a computer crime: SQL injection website attack”
Thank you for these awesome articles on reporting breaches and cybercrime. Please keep them going!
Well, I'm from Italy. A friend reported an attack where he got the IP addresses, to the postal police, and they told him they cannot do anything cause it was an IP from U.S., so, outside italy. They told him to secure the site against SQL-injection attacks.
So, he has to contact US LEA for trying to get the attackers? But we think both the attacker probably used a proxy, so things are not so easy…